diff --git a/src/HttpServer.cc b/src/HttpServer.cc
index f4dec3c5..7c5e9217 100644
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -2121,6 +2121,7 @@ int HttpServer::run() {
     SSL_CTX_set_options(ssl_ctx, ssl_opts);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
 
     if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
       std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
diff --git a/src/h2load.cc b/src/h2load.cc
index e7840d25..5d4f6321 100644
--- a/src/h2load.cc
+++ b/src/h2load.cc
@@ -2248,6 +2248,7 @@ int main(int argc, char **argv) {
   SSL_CTX_set_options(ssl_ctx, ssl_opts);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+  SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
 
   if (SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers.c_str()) == 0) {
     std::cerr << "SSL_CTX_set_cipher_list with " << config.ciphers
diff --git a/src/nghttp.cc b/src/nghttp.cc
index f9ba6ce8..be379b59 100644
--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@@ -2212,6 +2212,7 @@ int communicate(
     SSL_CTX_set_options(ssl_ctx, ssl_opts);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
     if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) {
       std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
                 << std::endl;
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 3351fea9..84703c95 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -634,6 +634,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
 
   SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
 
+  SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
+
   const unsigned char sid_ctx[] = "shrpx";
   SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
   SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
@@ -866,6 +868,8 @@ SSL_CTX *create_ssl_client_context(
 
   SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
 
+  SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
+
   if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
     LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
                << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
diff --git a/src/ssl.cc b/src/ssl.cc
index e94261c9..3703e98a 100644
--- a/src/ssl.cc
+++ b/src/ssl.cc
@@ -83,6 +83,8 @@ const char *get_tls_protocol(SSL *ssl) {
     return "SSLv2";
   case SSL3_VERSION:
     return "SSLv3";
+  case TLS1_3_VERSION:
+    return "TLSv1.3";
   case TLS1_2_VERSION:
     return "TLSv1.2";
   case TLS1_1_VERSION:
@@ -140,7 +142,7 @@ bool check_http2_cipher_black_list(SSL *ssl) {
 bool check_http2_tls_version(SSL *ssl) {
   auto tls_ver = SSL_version(ssl);
 
-  return tls_ver == TLS1_2_VERSION;
+  return tls_ver >= TLS1_2_VERSION;
 }
 
 bool check_http2_requirement(SSL *ssl) {